Cyble Uncovers Sophisticated Multi-Brand Phishing Campaign Targeting European Enterprises

Cyble Research and Intelligence Labs (CRIL) has identified a widespread and technically sophisticated phishing campaign that leverages HTML email attachments and Telegram's Bot API to harvest corporate credentials across multiple industries in Central and Eastern Europe.

The campaign, which impersonates trusted global brands including Adobe, Microsoft, FedEx, DHL, and regional telecommunications providers, represents a significant evolution in phishing tactics by circumventing conventional security measures through self-contained HTML files that require no external hosting infrastructure.

Campaign Overview

Unlike traditional phishing attacks that rely on suspicious URLs or compromised servers, this operation embeds malicious JavaScript directly within RFC-compliant HTML attachments disguised as business documents such as requests for quotation (RFQ) and invoices. When opened, these files present convincing brand-themed login interfaces that capture credentials and transmit them directly to attacker-controlled Telegram bots.

"This campaign demonstrates a concerning level of sophistication in both technical execution and social engineering," said Daksh Nakra, Senior Manager of Research and Intelligence at Cyble. "By eliminating the need for external hosting and leveraging legitimate platforms like Telegram for data exfiltration, threat actors have effectively bypassed many traditional email security controls."

Technical Sophistication

CRIL's analysis revealed multiple technical innovations employed by the attackers:

• Advanced Obfuscation: Implementation of CryptoJS AES encryption and progressive enhancement from basic JavaScript to sophisticated anti-analysis measures

• Anti-Forensics Capabilities: Blocking of developer tools, source code viewing, and content extraction to prevent investigation

• Dual-Capture Mechanisms: Forcing victims to enter credentials multiple times with fake error messages to ensure accuracy

• Intelligence Gathering: Collection of victim IP addresses, user agents, and other environmental data alongside credentials

The campaign utilizes a decentralized network of Telegram bots with distinct operational patterns, suggesting coordination among multiple threat actor groups or the use of automated toolkit generators.

Geographic and Industry Targeting

Primary targets include organizations across the Czech Republic, Slovakia, Hungary, and Germany, with affected sectors spanning:

• Manufacturing and Automotive

• Government and Law Enforcement Agencies

• Energy and Utilities

• Telecommunications

• Professional Services

• Hospitality and Retail

The threat actors demonstrate sophisticated understanding of regional business practices, customizing phishing lures with appropriate procurement terminology, language variants (including German, Spanish, and Korean), and industry-specific scenarios.

Multi-Brand Impersonation Strategy

The campaign's modular template system enables rapid deployment of new brand variants, including:

• Global Technology Brands: Adobe, Microsoft, WeTransfer, DocuSign

• Logistics Providers: FedEx, DHL

• Regional Services: Telekom Deutschland/T-Mobile, Roundcube webmail

This multi-brand approach enhances credibility across diverse organizational cultures and security awareness levels, significantly increasing the campaign's success rate.

Scale and Ongoing Evolution

Research conducted over the past month identified numerous distinct HTML samples in circulation, with evidence of continuous technical refinement including:

• Evolution from plain JavaScript to AES encryption obfuscation

• Addition of sophisticated keyboard and mouse event blocking

• Migration from jQuery to native Fetch API

• Expansion to multi-language support

The modular nature of the attack infrastructure suggests the campaign will continue to evolve and expand to additional brands and geographic regions.

Recommendations for Organizations

Cyble recommends organizations implement immediate defensive measures:

For End Users:

• Exercise extreme caution with unsolicited HTML attachments

• Verify unexpected credential prompts through independent channels

• Report suspicious emails to security teams immediately

For Security Operations Centers:

• Monitor for unusual connections to api.telegram.org from end-user devices

• Implement content inspection for HTML attachments containing Telegram API references

• Deploy sandboxing or blocking policies for .html/.htm attachments

• Conduct retroactive threat hunts using provided indicators of compromise